edit-icon download-icon

RAM authentication

Last Updated: Apr 07, 2018

Before calling VPC APIs using a RAM user, the primary account must grant the RAM user the corresponding permission by creating an authentication policy. In the authentication policy, an Alibaba Cloud Resource Name (ARN) is used as the unique identifier of the resource to authorize.

This document introduces the VPC resources and APIs that can be authorized and the corresponding ARN format.

VPC resources

The following table lists the VPC resources that can be authorized and the ARN format.

Resource type Resource description in the authorization rule
VPC acs:vpc:$regionid:$accountid:vpc/$vpcid
acs:vpc:$regionid:$accountid:vpc/*
acs:vpc:*:$accountid:vpc/*
VRouter acs:vpc:$regionid:$accountid:vrouter/$vrouterid
acs:vpc:$regionid:$accountid:vrouter/*
acs:vpc:*:$accountid:vrouter/*
VSwitch acs:vpc:$regionid:$accountid:vswitch/$vswitchid
acs:vpc:$regionid:$accountid:vswitch/*
acs:vpc:*:$accountid:vswitch/*
Route Table acs:vpc:$regionid:$accountid:routetable/$routetableid
acs:vpc:$regionid:$accountid:routetable/*
acs:vpc:*:$accountid:routetable/*
HaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:vpc:$regionid:$accountid:havip/*
acs:vpc:*:$accountid:havip/*
EIP acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:eip/*
acs:vpc:*:$accountid:eip/*
NAT Gateway acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
acs:vpc:$regionid:$accountid:natgateway/*
acs:vpc*:$accountid:vpc/*
NAT Gateway Bandwidth Package acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
acs:vpc:$regionid:$accountid:bandwidthpackage/*
acs:vpc:*:$accountid:vpc/*
Forward Table acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
acs:vpc:$regionid:$accountid:forwardtable/*
acs:vpc:*:$accountid:vpc/*
SNAT Table acs:vpc:$regionid:$accountid:snattable/$snattableid
acs:vpc:$regionid:$accountid:snattable/*
acs:vpc:*:$accountid:vpc/*
Customer Gateway acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
acs:vpc:$regionid:$accountid:customergateway/*
acs:vpc:*:$accountid:customergateway/*
IPsec Connection acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
acs:vpc:$regionid:$accountid:vpnconnection/*
acs:vpc:*:$accountid:vpnconnection/*
VPN Gateway acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
acs:vpc:$regionid:$accountid:vpngateway/*
acs:vpc:*:$accountid:vpngateway/*
Global Acceleration Instance acs:vpc:$regionid:$accountid: globalaccelerationinstance /$ globalaccelerationinstanceid
acs:vpc:$regionid:$accountid: globalaccelerationinstance /
acs:vpc:
:$accountid: globalaccelerationinstance /*
General Expression acs:vpc:$regionid:$accountid:*
acs:vpc:*:$accountid:*

VPC APIs

The following table lists the VPC actions that can be authorized and the ARN format.

API ARN format
vpc:CreateVpc acs:vpc:$regionid:$accountid:vpc/*
vpc:DeleteVpc acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVpcs acs:vpc:$regionid:$accountid:vpc/*
vpc:ModifyVpcAttribute acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVRouters acs:vpc:$regionid:$accountid:vrouter/*
VRouterId specified:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
VRouterId not specified:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/*”
vpc:ModifyVRouterAttribute acs:vpc:$regionid:$accountid:vrouter/$vrouterid
vpc:CreateVSwitch acs:vpc:$regionid:$accountid:vswitch/*
acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DeleteVSwitch acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DescribeVSwitches acs:vpc:$regionid:$accountid:vswitch/*
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
vpc:ModifyVSwitchAttribute acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:CreateRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DeleteRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DescribeRouteTables acs:vpc:$regionid:$accountid:routetable/*
The route table in VRouter:
“vpc:VRouter”:”acs:vpc$regionid:$accountid:vrouter/$vrouterid”
vpc:CreateHaVip acs:vpc:$regionid:$accountid:havip/*
acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DeleteHaVip acs:vpc:$regionid:$accountid:havip/$havipid
vpc:AssociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:UnassociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:DescribeHaVips acs:vpc:$regionid:$accountid:havip/*
vpc:AllocateEipAddress acs:vpc:$regionid:$accountid:eip/*
vpc:AssociateEipAddres The InstanceType is EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
The InstanceType is HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:DescribeEipAddresses acs:vpc:$regionid:$accountid:eip/*
vpc:ModifyEipAddressAttribute acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:UnassociateEipAddress The InstanceType is EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
The InstanceType is HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:ReleaseEipAddress acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:DescribeEipMonitorData acs:vpc:$regionid:$accountid:eip/$allocationid
CreaeNatGateway acs:vpc:$regionid:$accountid:natgateway/*
DescribeNatGateways Query the specified NAT gateway:
acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
Query the list of NAT gateways:
acs:vpc:$regionid:$accountid:natgateway/*
ModifyNatGatewaySpec acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
ModifyNatGatewayAttribute acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
DeleteNatGateway acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
CreateBandwidthPackage acs:vpc:$regionid:$accountid:bandwidthpackage/*
DescribeBandwidthPackages Query the specified bandwidth package:
acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
Query the list of bandwidth packages:
acs:vpc:$regionid:$accountid:bandwidthpackage/*
ModifyBandwidthPackageSpec acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
ModifyBandwidthPackageAttribute acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
AddBandwidthPackageIps acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
RemoveBandwidthPackageIps acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
DeleteBandwidthPackage acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
CreateForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
DeleteForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
ModifyForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
DescribeForwardTableEntries acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
CreateSnatEntry acs:vpc:$regionid:$accountid:snattable/*
ModifySnatEntry acs:vpc:$regionid:$accountid:snattable/$snattableid
DescribeSnatTableEntries acs:vpc:$regionid:$accountid:snattable/$snattableid
DeleteSnatEntry acs:vpc:$regionid:$accountid:snattable/$snattableid
vpc:CreateCustomerGateway acs:vpc:$regionid:$accountid:customergateway/*
vpc:DeleteCustomerGateway acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:DescribeCustomerGateway acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:DescribeCustomerGateways acs:vpc:$regionid:$accountid:customergateway/*
vpc:ModifyCustomerGatewayAttribute acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:CreateVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/*
vpc:DeleteVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DescribeVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DescribeVpnConnections acs:vpc:$regionid:$accountid:vpnconnection/*
vpc:ModifyVpnConnectionAttribute acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DownloadVpnConnectionConfig acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DeleteVpnGateway acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:DescribeVpnGateway acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:DescribeVpnGateways acs:vpc:$regionid:$accountid:vpngateway/*
vpc:ModifyVpnGatewayAttribute acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:CreateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
vpc:AssociateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:UnassociateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:ModifyGlobalAccerlationInstanceSpec acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:ModifyGlobalAccerlationInstanceAttributes acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:DeleteGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:DescribeGlobalAccelerationInstances acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
vpc:DescribeServerRelatedGlobalAccelerationInstances acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
acs:ecs:$regionid:$accountid:instance/$instanceid
Thank you! We've received your feedback.